FTC Settles with CafePress over Data Security Breaches

  • The FTC has reached a settlement with Residual Pumpkin Entity, LLC and PlanetArt, LLC—the former and current owners of online merchandise platform CafePress (collectively, “CafePress”)—to resolve allegations that CafePress failed to protect consumers’ sensitive information and inadequately responded to a 2019 data breach, in violation of Section 5 of the FTC Act.
  • According to the Complaint, CafePress failed to implement industry-standard security measures such as encryption, patch management, and logging, and failed to respond to security incidents, including a major breach in 2019 in which a hacker exported the personal information of over 22 million customers.
  • Under the terms of the proposed settlement, CafePress must implement a comprehensive information security program, including implementing multi-factor authentication and minimizing the amount of customer data collected and retained, and will pay $500,000 in redress to affected consumers.
  • As previously reported, a group of seven AGs previously reached a settlement with CafePress over alleged consumer protection violations arising from the 2019 data breach.